AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious install-time behavior was found, but the package exposes a powerful local agent web UI. With default HOST=0.0.0.0 and no auth unless configured, reachable HTTP clients can invoke shell/terminal and extension installation surfaces.
Decision evidence
public snapshot- Default CLI/server binds HOST to 0.0.0.0 with auth disabled unless UI_PASSWORD or API_KEY is set: bin/pi-kot.mjs, dist/server/config.js, dist/server/index.js.
- Authenticated-or-default-open exec routes run user-provided shell commands in project workspace: dist/server/routes/exec.js.
- Extension install/update/uninstall uses execSync string commands with request-controlled package names/specs, enabling shell injection if route is reachable: dist/server/extension-manager.js.
- Runtime extension setup writes ~/.pi/agent/settings.json and runs npm install in ~/.pi/agent/npm only after explicit API/UI action: dist/server/extension-manager.js.
- Ngrok tunnel provider can expose the local UI via explicit tunnel start and contacts https://api.ngrok.com plus local ngrok API: dist/server/tunnel/providers/ngrok.js.
- package.json has no preinstall/install/postinstall lifecycle scripts.
- bin/pi-kot.mjs only parses flags, sets env defaults, and imports dist/server/index.js when the user runs the CLI.
- No import-time credential harvesting or exfiltration flow found in inspected server entrypoints.
- High-entropy assets are KaTeX font files under dist/client/assets, consistent with bundled UI assets.
- Network access is package-aligned: npm registry update checks, ngrok diagnostics/tunnel support, model config endpoint use.
Source & flagged code
6 flagged · loading sourcePackage source references child process execution.
dist/server/file-searcher.jsView on unpkg · L1Package source references dynamic require/import behavior.
bin/pi-kot.mjsView on unpkg · L146Package source invokes a package manager install command at runtime.
dist/server/extension-manager.jsView on unpkg · L10Package ships high-entropy non-source blobs.
dist/client/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/server/tunnel/providers/ngrok.jsView on unpkg